By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

All the meetings were “off the record” and I do not intend to breach confidence – but a common thread was that the pace of change is accelerating. It has left behind the “solutions” peddled by most commentators. It is, therefore, not suprising that main boards are getting pissed off with those who preach awareness instead of suggesting realistic action plans to address the threats they know they face today, let alone those they fear tomorrow .

Perhaps the most interesting feature of the ICAEW report was that the UK’s six largest audit practices have come together and compared notes. Two year ago cyber security was not on the agenda of any main board. This year over half their major clients have discussed it at least once. Much of the credit for that change must go to the publicity for the Government’s Ten Steps . But these were only a start point.

The four key points in the ICAEW report were:

Businesses should consider cyber in all their activities

Businesses need to accept that their security will be comprised

Businesses should focus on their critical information assets

Most Businesses do not get the basics right

My “quibble” with the ICAEW report is that their definition of “basics” focusses on the technology. The collapse of corporate loyalty (as a result of outsourcing) combined with annual turnover rates of over 30% among those with the skills in most demand (including information security) means that neglect of the basics with regard to people management and motivation is at least as dangerous.

The CEO of Tempest has agreed to do me a guest blog on the key points in his presentation but one of the most interesting was that neither the direction of the threat analysis, nor the communication of the results can be sensibly outsourced. The reason is that both depend on an understanding of the business, including its culture as well as its priorities and business models. This was particularly important given the way that groups of attackers target particular business sectors in different ways: thus those attacking media organisations are usually seeking to identify the sources used and compromise the integrity of news feeds rather than commit fraud, steal IPR or disrupt the printing presses. Much of the technical work of monitoring and responding to attacks, collating intelligence and “asset recovery” can, however, be outsourced.

This led me to wonder why it is that so few organisations have a vigorous “asset recovery” strategy. We often hear that it is “too difficult” but I have now heard of three large organisations which routinely use a mix of civil and criminal law to identify and bankrupt not only those who were defrauding them but the suppliers of the tools they use. It has been a win win strategy. They may not have been able to identify more than a fraction of the attackers or their accomplices but the volume and sophistication of the attacks on them has fallen dramatically: word got round the chat rooms and their attackers decided to focus on their less robust competitors instead.

Perhaps the most important message that I have picked up over the past fortnight is, however, that the main cyber security audit practices and consultancies are planning to double, treble or even quadruple the size of their forensics and investigation teams. This is happening at the same as government is trying to do the same. Meanwhile UK and European regulators are planning to increase the compliance overheads that dishearten and distract those working for user staff, so that the latter will be more likely to leave for higher pay and more interesting work – lower risk and more probablity of reward.

The current staff merry-go-round is therefore likely to accelerate sharply next Spring.

This will in turn present major opportunities for the technically competant but “bent” to infiltrate your organisation. One of the other groups of professionals that will also come under strain is therefore those who organise vetting and monitoring services. Co-operation will be essential and initiatives like the new CREST service for accrediting incident responses services are most timely.

Therefore the first action point in the main board cyber security strategy should be the allocation of responsibility and budgets for identifying, vetting, training, monitoring and retaining the skills they need, including those which they must have in-house and those they can afford to contract out.

How big should those budgets be?

That will depend on the value of the assets to be protected to the organisation and to those attacking it – hence the importance of an intelligence led strategy.

Start the conversation

0 comments

Send me notifications when other members comment.

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy